the weakness of an encryption sw is the password ?

I have a doubt: what is the real security of an encyrption software, also at 256 bit or more, if the password to launch the software is a common password ? I can use pw of 17, 22 random characters, but it will be always much different from the 256 bit encrypted files inside the software, the pw will be the weak element of the software.

There can be many other weaknesses in such software. For example, some software use your password:
- as an input to derive the encryption key <-- better
- as an input to decrypt an encrypted key stored locally <-- not that good
- as the key <-- really bad scenario
- as an input to verify that the stored encryption key can be loaded from the storage <-- your nightmare

Other weaknesses may occur on:
- the chosen algorithm implementation <-- was it reviewed? is it the reference implementation or an "implementation based on a specification"?
- the algorithm configuration and key initialization steps <-- what is the encryption mode, the initialization technique, etc.?

Finally, many problems relate to a poor key entropy/use of randomization. For example, you can have a 256-bits key generated uniquely from a low-entropy input (typically: someone typing something on a keyboard is a real bad idea). Technically speaking, you still have your 256-bits key array but only a few bits may actually turn to 0's or 1's, which makes an attacker's work easier.

In conclusion, you can only assume that the master password becomes the weakness of a password management software once the software itself is considered as "secure".

Said otherwise: a password management software may be considered as safe once its cryptographic defense literally requires cracking your password and nothing else.

Considering your software gives you that warranty, your next step is to decide how long and complex your secret should be; which translates to "how much entropy you want?"

Finally, many problems relate to a poor key entropy/use of randomization. For example, you can have a 256-bits key generated uniquely from a low-entropy input (typically: someone typing something on a keyboard is a real bad idea).

Click to expand...

Proof? The Linux RNG (/dev/random) uses exactly this method for collecting entropy (mouse movements, keyboard presses, OS interrupts and other random data on the machine). It then mixes these bits into a pool and hashes them with SHA-1. There has never been any successful attack on /dev/random (there are some theoretical attacks that rely on the attacker having root access on the machine and then carrying out some insanely difficult attacks from there, but surely most people would be aware of the strange man in their house sitting behind their keyboard?).

Said otherwise: a password management software may be considered as safe once its cryptographic defense literally requires cracking your password and nothing else.

Click to expand...

Modern crypto (if implemented properly and to spec) is very strong. The weakest link is always the passphrase that protects the key.